NATIXIS - 2018 Registration document and annual financial report

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

A combined “Global Banking (Damages to Valuables and a Fraud)” & “Professional Liability” policy with a total maximum payout of €148 million per year of insurance (of which €133 million has been pooled with Groupe BPCE), of which: €15 million per year, combined “Fraud/Professional Civil a) Liability” insurance available, subordinate to the amounts guaranteed set out in b) and/or c) and/or d) below, €38 million per claim and per year, solely reserved for b) “Global Banking” risk, €25 million per claim and per year, solely reserved for c) “Professional Civil Liability” risk, €70 million per claim and per year, combined “Global d) Banking/Professional Civil Liability” insurance available in addition to or after use of the amounts guaranteed set out in b) and/or c) above. The maximum amount that can be paid out for any one claim under this arrangement is €109.50 million under “Professional Civil Liability” coverage and €109 million under “Fraud” coverage in excess of the applicable deductibles. “Regulated Intermediation Liability” (in three areas: Financial a Intermediation, Insurance Intermediation, Real Estate Transactions/Management) with a total maximum payout of €10 million per claim and per year; “Operating Liability” covering €100 million per claim, as well a as a “Subsidiary Owner Civil Liability”/“Post Delivery-Reception Civil Liability” coverage extension for up to €35 million per claim and per year of insurance; “Company Directors Liability” for up to €200 million per claim a and per year of insurance; “Property Damage to Offices and to their content” (including a IT equipment) and the consecutive “losses in banking activities”, for up to €400 million per claim; “Protection of Digital Assets against Cyber-Risks” & the a consecutive “losses in banking activities”, for up to €140 million per claim and per year of insurance. This coverage extends worldwide for initial risk or umbrella risk, subject to certain exceptions, mainly in terms of “Professional Civil Liability” where the policy does not cover permanent institutions based in the United States (where coverage is obtained locally by Natixis’ US operations). All the insurance policies mentioned above were taken out with reputable, creditworthy insurance companies. All the insurance policies mentioned above are purchased with deductibles (accepted retention level) in accordance with Natixis' retention capacity.

Measures to reduce risk Natixis has implemented measures in every business line and support function to monitor the corrective actions to reduce the Bank’s exposure to operational risks. Nearly 64% of the almost 450 corrective actions initiated in 2018 were implemented by the business lines in charge and are monitored by the business line and central Operational Risk Committees. These actions, defined to reduce and resolve operational risk, are ranked by priority depending on the risks incurred. An alert system has been set up to prompt assessment by the Natixis Operational Risks Committee of any delays in implementing first-level corrective actions. Risk profile 3.2.6.4 In 2018, a risk analysis was performed on all of Natixis’ business lines and support and control functions. Verifying consistency with the results from internal audits and the results of permanent controls highlighted the most important risks for each scope and helped prioritize corrective measures to be implemented in order to improve the risk management mechanism. The Corporate & Investment Banking business lines represent the majority of risks under review owing to the extensive nature of the division's activities and operations in both France and internationally. Natixis’ risk profile features two main risk categories in terms of high potential impact: business line risk, concentrated under Corporate & Investment Banking, and overall risk (cyber, regulatory, loss of access to premises or information systems, or of availability of employees) to which the Company as a whole is exposed. Tailored risk management mechanisms have been introduced to cover these risks, including the safeguarding of procedures and controls, raising employee awareness, Business Continuity Plans, IT Systems Security and insurance policies. Operational risk insurance 3.2.6.5 Reporting to the Natixis Insurance division, the Groupe BPCE Risk Insurance Department is responsible for: analyzing insurable operational risks; a taking out appropriate insurance coverage (direct insurance a and/or transfer). Natixis and its subsidiaries benefit from the guarantees provided in the following main insurance programs: covering its insurable operational risks; and which are pooled a with Groupe BPCE (with the exception of the risk described in point a) below);

146

Natixis Registration Document 2018